How to Configure SSL/TLS with Apache on AlmaLinux

We will walk you through the steps to configure SSL/TLS with Apache on AlmaLinux, covering both self-signed and Let’s Encrypt certificates for practical deployment.
By İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

In today’s digital landscape, securing web traffic is a top priority for website administrators and developers. Configuring SSL/TLS (Secure Sockets Layer/Transport Layer Security) on your Apache web server not only encrypts communication between your server and clients but also builds trust by displaying the “HTTPS” padlock icon in web browsers. AlmaLinux, a reliable and enterprise-grade Linux distribution, pairs seamlessly with Apache and SSL/TLS to offer a secure and efficient web hosting environment.

In this comprehensive guide, we’ll walk you through the steps to configure SSL/TLS with Apache on AlmaLinux, covering both self-signed and Let’s Encrypt certificates for practical deployment.

Why SSL/TLS is Essential

SSL/TLS is the backbone of secure internet communication. Here’s why you should enable it:

  1. Encryption: Prevents data interception by encrypting traffic.
  2. Authentication: Confirms the identity of the server, ensuring users are connecting to the intended website.
  3. SEO Benefits: Google prioritizes HTTPS-enabled sites in search rankings.
  4. User Trust: Displays a padlock in the browser, signaling safety and reliability.

Prerequisites for Configuring SSL/TLS

To begin, make sure you have:

  1. A Server Running AlmaLinux
    Ensure you have root or sudo access.

  2. Apache Installed and Running
    If not installed, you can set it up by running:

    sudo dnf install httpd -y
sudo systemctl start httpd
sudo systemctl enable httpd

  3. DNS Configuration
    Your domain name (e.g., example.com) should point to your server’s IP address.

  4. Firewall Configuration
    Allow HTTPS traffic:

    sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload

Step-by-Step Guide to Configure SSL/TLS

Step 1: Install OpenSSL

OpenSSL is a widely used tool for creating and managing SSL/TLS certificates. Install it with:

sudo dnf install mod_ssl openssl -y

This will also install the mod_ssl Apache module, which is required for enabling HTTPS.

Step 2: Create a Self-Signed SSL Certificate

Self-signed certificates are useful for internal testing or private networks. For production websites, consider using Let’s Encrypt (explained later).

  1. Generate a Private Key and Certificate:

    sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/selfsigned.key -out /etc/pki/tls/certs/selfsigned.crt

    During the process, you’ll be prompted for information like the domain name (Common Name or CN). Provide details relevant to your server.

  2. Verify the Generated Certificate: Check the certificate details with:

    openssl x509 -in /etc/pki/tls/certs/selfsigned.crt -text -noout

Step 3: Configure Apache to Use SSL

  1. Edit the SSL Configuration File: Open the default SSL configuration file:

    sudo nano /etc/httpd/conf.d/ssl.conf

  2. Update the Paths to the Certificate and Key: Locate the following directives and set them to your self-signed certificate paths:

    SSLCertificateFile /etc/pki/tls/certs/selfsigned.crt
SSLCertificateKeyFile /etc/pki/tls/private/selfsigned.key

  3. Restart Apache: Save the file and restart the Apache service:

    sudo systemctl restart httpd

Step 4: Test HTTPS Access

Open a web browser and navigate to your domain using https://your-domain. You may encounter a browser warning about the self-signed certificate, which is expected. This warning won’t occur with certificates from a trusted Certificate Authority (CA).

Step 5: Install Let’s Encrypt SSL Certificate

For production environments, Let’s Encrypt provides free, automated SSL certificates trusted by all major browsers.

  1. Install Certbot: Certbot is a tool for obtaining and managing Let’s Encrypt certificates.

    sudo dnf install certbot python3-certbot-apache -y

  2. Obtain a Certificate: Run the following command to generate a certificate for your domain:

    sudo certbot --apache -d example.com -d www.example.com

    Certbot will:

    • Verify your domain ownership.
    • Automatically update Apache configuration to use the new certificate.

  3. Test the HTTPS Setup: Navigate to your domain with https://. You should see no browser warnings, and the padlock icon should appear.

  4. Renew Certificates Automatically: Let’s Encrypt certificates expire every 90 days, but Certbot can automate renewals. Test automatic renewal with:

    sudo certbot renew --dry-run

Advanced SSL/TLS Configuration

1. Redirect HTTP to HTTPS

Force all traffic to use HTTPS by adding the following directive to your virtual host configuration file:

<VirtualHost *:80>
    ServerName example.com
    Redirect permanent / https://example.com/
</VirtualHost>

Restart Apache to apply changes:

sudo systemctl restart httpd

2. Enable Strong SSL Protocols and Ciphers

To enhance security, disable older, insecure protocols like TLS 1.0 and 1.1 and specify strong ciphers. Update your SSL configuration:

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on

3. Implement HTTP/2

HTTP/2 improves web performance and is supported by modern browsers. To enable HTTP/2 in Apache:

  1. Install the required module:

    sudo dnf install mod_http2 -y

  2. Enable HTTP/2 in your Apache configuration:

    Protocols h2 http/1.1

Restart Apache:

sudo systemctl restart httpd

4. Configure OCSP Stapling

OCSP stapling enhances certificate validation performance. Enable it in your Apache SSL configuration:

SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off

Troubleshooting Common Issues

  1. Port 443 is Blocked:
    Ensure your firewall allows HTTPS traffic:

    sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload

  2. Incorrect Certificate Paths:
    Double-check the paths to your certificate and key in the Apache configuration.

  3. Renewal Failures with Let’s Encrypt:
    Run:

    sudo certbot renew --dry-run

    Check logs at /var/log/letsencrypt/ for details.

  4. Mixed Content Warnings:
    Ensure all assets (images, scripts) are served over HTTPS to avoid browser warnings.

Conclusion

Securing your Apache web server with SSL/TLS on AlmaLinux is a crucial step in protecting user data, improving SEO rankings, and building trust with visitors. Whether using self-signed certificates for internal use or Let’s Encrypt for production, Apache provides robust SSL/TLS support to safeguard your web applications.

By following this guide, you’ll have a secure web hosting environment with best practices for encryption and performance optimization. Start today to make your website safer and more reliable!

Last modified 09.01.2025: msfconsoel translations ongoing... (f7e18da)